FDA, industry gird for new cybersecurity worry: medical device hacking
- Industry and feds expect rise in device hacking attempts.
- Cybersecurity experts in demand as groups respond to attacks.
By Casey Harper
Sign up for your free trial here.
Regulators and medical devicemakers are stepping up efforts to brace for an expected barrage of hacking attacks even as legal and technical uncertainties leave them in uncharted territory.
Tens of millions of electronic health records have been compromised in recent years, a number that is growing and some say underreported.
High-profile attacks have hit hospitals and health plans, and now attention is turning to a new vulnerability: medical devices like pacemakers and insulin pumps.
The FDA has become increasingly concerned about the issue and is working to coordinate with other agencies on a response if a serious medical device hack occurred.
"This is what we said to manufacturers; one should consider the environment a hostile environment, there are constant attempts at intrusion ... and they have to be hardened," Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.
The rumblings of this coming wave have already begun.
More than 113 million personal health records were compromised in 2015 according to provider data reported to the Department of Health and Human Services. That figure is about nine times as many than in 2014.
Last fall, Johnson & Johnson had to tell its customers that its insulin pumps had a security vulnerability where hackers could access the device and cause a potentially fatal overdose of insulin. The pump, called the Animas OneTouch Ping, had a wireless remote that made it vulnerable. Wireless connection can be an easy access point for hackers.
A similar incident occurred in July of 2015 when the FDA told hospitals not to use Hospira's Symbiq infusion pumps because of a vulnerability that could allow the pump to be accessed through a hospital network.
A hacker could take over the device and change the dose, threatening patient safety. The pump was no longer being sold by Hospira, but the FDA discouraged providers from buying it from third parties.
In 2013, famed hacker Barnaby Jack claimed he had discovered how to hack a pacemaker from up to 50 feet away and create a lethal shock to the device. He was set to reveal his method at the world's largest hacker conference in Las Vegas but died the night before.
Notably, former Vice President Dick Cheney's doctor had the wireless capability of the pacemaker disabled so that a hacker could not access the device.
So far, though, there have been no known cases of hacking of a medical device causing patient harm, according to Zach Rothstein, associate vice president at the Advanced Medical Technology Association.
Healthcare's hacking problem.
Hackers can tap into one weak point at a hospital — like an unsecured wireless printer — and access the entire system. Hackers can take over a hospital's electronic records or lock them out of their website and only return control after a ransom is paid, often in Bitcoin.
Hackers can change medical records' information on allergies, diagnoses, or doses of prescribed drugs. Incorrect information on even one medical record could be fatal. Aside from the obvious human cost, an incident like that could have serious financial consequences for a hospital.
"In just the last few years ... we've seen more than a hundred million health records of American citizens breached in a couple of well-publicized incidents," Terry Rice, vice president of IT risk management and chief information security officer at Merck & Company, told the Energy and Commerce Oversight and Investigations Subcommittee last week.
"Vulnerabilities in pacemakers and insulin pumps can be exploited to cause potentially lethal attacks and we have witnessed entire hospitals in the U.S. and U.K. shutting down for multiple days to combat ransomware infections in critical systems," he added.
Health and Human Services has acted to combat these cybersecurity threats. The Office of the National Coordinator for Health Information Technology, which leads the administration's health technology efforts, awarded $350,000 last October to the National Health Information Sharing and Analysis Center to educate healthcare stakeholders. The funding would also create a system to allow groups to share information about breaches and ransomware attacks.
Rice, who serves on the Healthcare Industry Cybsecurity Task Force, which was created by the Cybersecurity Information Sharing Act of 2015, told the subcommittee that the cybersecurity problem is “significantly underreported.”
He also noted the lack of incentives for companies to report: fear of the harm to their brand or reputation.
“Organizations are unlikely to report security incidents if not required to do so given the potential reputational harm that might occur," he said. "The reports we read about are only a small fraction of the incidents that actually occur."
A 2016 study by the Ponemon Institute found that the majority of breaches reported by the organizations they surveyed contained fewer than 500 records, which aren't counted in the latest HHS data.
Who is liable?
Hacking of a medical device could lead to injury, illness or death, which raises the question: if someone sues, who is liable?
The FDA says in its premarket guidance that “FDA recognizes that medical device security is a shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices.”
This could be encouraging for devicemakers, especially since the security flaws unrelated to a device, such as an unsecured wireless printer, could make a device accessible to a hacker.
Since there have been no known cases of patient harm related to medical device hacking, litigation is lacking. But Melissa Markey, a technology and cybersecurity lawyer at Hall Render, said within the next decade hacking attempts and, as a result, litigation will increase.
Markey points out that FDA guidance on medical devices says manufacturers have an obligation to consider cybersecurity of their devices when designed and throughout the operating life of that device, which would likely provide the basis on which someone could allege that manufacturers had a duty to do more to secure devices.
"Even though we would have all intuitively said, well yes medical devicemakers obviously should make their devices safe from being hacked, that FDA guidance removes any question, I think, that, yeah, this is an obligation," Markey told The Hill Extra.
Markey said even hospitals could also end up filing suit against devicemakers if the device made their system vulnerable.
Vaccine liability could serve as a model, Markey suggested.
The National Vaccine Injury Compensation program was created in the 1980s to protect vaccine companies and healthcare providers from lawsuits from individuals who claimed a vaccine caused them injury.
The fund was a "no-fault" way that served as insurance for the vaccine companies after lawsuits began to cause companies to have qualms about getting into the vaccine business. It could prove to be a model for the device industry if fear over lawsuits begins to stymie innovation.
"There are some people who hack because this is a money-making opportunity, and there will be people who figure out how to hack medical devices in order to make money," Markey said. "They will find a way to exploit a vulnerability and use that to get money from the device company or they will use that to get money from another company somehow."
Information sharing is considered a major bulwark to protect against hacking attempts. The healthcare community has an information sharing group, where providers, manufacturers and others can share information and update their defenses from what is at times a common threat.
Within this community, medical devicemakers have their own sub-community. Congress and the industry are promoting healthcare information sharing together, hoping to get it up to par with the sharing of similar groups for other industries, such as the financial sector which is known for its cyber readiness.
Rothstein said both the FDA and industry are hiring cyber security experts across the board to up their defenses.
"You're starting to see FDA hire software experts so that internally they have more capabilities to evaluate cyber security programs of these companies," he said.
Many companies are adopting "coordinated disclosure" policies where researchers or "white hat" hackers can report vulnerabilities directly to the company instead of making them public.
If a vulnerability is made public before the company is made aware, hackers could jump on the opportunity to compromise devices before the company has time to fix their vulnerabilities.
Hospitals are backing up their files and also increasingly adding cybersecurity protections into their contractual agreements. Rothstein expects this practice to increase.
"The medical device industry, I would say in the last two-and-a-half years or so, has gone from general understanding of the issue, general participation to extreme awareness and participation in cybersecurity efforts," Rothstein said.